Novell Analyzer for Identity Manager Readme

August 15, 2008

This document provides important information related to Novell® Analyzer for Identity Manager. It includes the following sections:

1.0 Overview

Analyzer is an Eclipse-based Identity Manager project that provides a set of tools aimed at ensuring general internal policies are adhered to in the area of data quality, which includes data analysis, data cleansing, data reconciliation and data monitoring/reporting. Customers can use Analyzer to analyze, enhance and control all data stores throughout their enterprise.

Three phases—Analyze, Enhance and Control—are particularly important when designing Identity Management solutions. Before implementing an Identity Management solution, designers spend a significant amount of time analyzing the identity data, cleansing the identity data, and modeling business rules to create identity data replication and synchronization policies that guarantee the data remains in a reliable state. Additionally, after an Identity solution is put into place, customers must verify and reconcile that the these processes are performing as intended to maintain consistent and reliable data.

The goal of Analyzer is to provide a set of tools to resolve data quality issues and improve the Identity Manager deployment process.Industry analysts note that Identity Management projects spend 3 - 8 times more than the cost of the software on design and implementation. Analyzer attacks these project-related costs directly by providing a powerful environment for cleaning and preparing identity data in order to streamline identity infrastructure implementations.

Novell is developing Analyzer under an iterative development model. At the end of each iteration Novell releases a milestone build that encompasses the goals of that milestone. These milestones provide customers with access to the product throughout the development cycle so they can participate in directing development decisions over time.

2.0 System Requirements

Review the following system requirements before installing Analyzer 1.0.

2.1 Hardware Requirements

Analyzer 1.0 has the same hardware requirements as Designer for Identity Manager 3.0:

  • Minimum video resolution: 1024x768 (1280x1024 recommended)

  • Memory: 512 MB minimum (1 GB recommended)

  • Processor: 1 GHz or higher

2.2 Software Requirements

Analyzer 1.0 has the following software requirements:

  • Designer for Identity Manager 3.0

  • Designer requires one of the following operating systems:

    • SUSE® Linux Enterprise Desktop 10 SP1

    • SUSE Linux Enterprise Server 10 SP1

    • openSUSE® 10.3

    • Windows* XP or Vista

  • Gettext Utilities (Linux installation only)

2.3 Available Drivers

The following Identity Manager drivers have been tested with Analyzer 1.0, both locally and remotely where applicable:

  • Active Directory*

  • JDBC

    NOTE:The JDBC driver has been tested with the following databases: DB2*, Informix*, MySQL*, Oracle*, PostgreSQL, SQL Server*, and Sybase*.

  • LDAP

  • PeopleSoft*

  • i5/OS*

  • LinuxUnix

  • OS/400*

  • RACF*

  • SAP* User

  • TopSecret*

For information about installing and configuring a Remote Loader for the drivers that require it, see the Identity Manager Remote Loader documentation.

3.0 Known Issues

The following issues exist in the Analyzer 1.0 environment:

3.1 Avoid Using Projects Created with Pre-Release Versions of Analyzer

Over the course of its development, Analyzer 1.0 has gone through some significant architectural and model changes. Because of this, projects created with pre-release versions of Analyzer might not work properly with Analyzer 1.0.

To avoid difficulty, specify a new workspace for Analyzer 1.0 and do not mix old projects with new projects. When using the internal Analyzer database, this ensures that you are not mixing pre-release data tables and formats with Analyzer 1.0 data tables.

If you use an external MySQL database as your Analyzer database, clean out any pre-release data before using it with Analyzer 1.0. To do this, use your preferred database management tool to delete the following database tables before starting Analyzer 1.0 for the first time:

  • DSTable_ver where ver is a version number

  • AnalysisTable_ver where ver is a version number

  • All tables with an enf_ prefix

Alternatively, you can create a new MySQL database for use with Analyzer 1.0.

3.2 Data Browser Issues

Please note the following issues when using the Data Browser:

Limit Attributes in Data Set Definition: Novell recommends restricting data set definitions to fewer than 10 attributes for optimal Data Browser performance. Creating data set definitions with more than 10 attributes causes the Data Browser performance to deteriorate significantly.

Painting Issues: When returning from the Multi-Value Edit Dialog to a cell with multiple values, Analyzer does not repaint the table cursor correctly. Also, painting issues occur on Windows when adding a new value, if doing so causes the cell size to automatically increase.

To correct the display, move to another cell with a click or arrow key, then move back to the original cell.

Sorting Issues: Integer columns sort as strings instead of integers. For example, 100 sorts before 90. Also, sorting is case sensitive. For example, “Bob” sorts before “andy”.

Empty Column in Flat File Data Import: The Source-DN field is always empty in a data set instance imported from a flat file. You can ignore it.

3.3 Analyzer Does Not Start After Installing on Windows Vista

Windows Vista* has implemented a new User Account Control feature that prevents applications from running as Administrator unless you specifically allow it.

To run Analyzer in Vista, right-click on the Analyzer shortcut and choose the option to “Run as Administrator”. You may also choose to disable “User Account Control”.

3.4 Analyzer DB Does not Initialize After Restart

If you quickly stop and restart Analyzer, the Analyzer Database might not reinitialize properly. To avoid this problem, wait thirty seconds or so before restarting Analyzer

If Analyzer starts and the Analyzer Database is not initialized correctly, select Refresh View in the Project View to reinitialize the database.

3.5 Using a MySQL External Database with Analyzer

Analyzer allows you to change its internal database from the default Hypersonic SQL (HSSQL) database to a MySQL database. You can configure database settings in Window > Preferences > Analyzer > Database Settings. When using an external MySQL database, be aware of the following issues:

Importing a Data Set Instance: An error might occur when importing a data set instance to the MySQL database if another instance of Analyzer is accessing the MySQL database at the same time. This is a synchronization error between Hibernate and the MySQL server. To work around this problem:

  • Wait a minute, then try to import the data set instance again.

  • Open Window > Preferences > Analyzer > Database Settings, then click OK to reinitialize the database settings.

Automatically Creating MySQL Database: When you designate an external MySQL database for use by Analyzer (in Window > Preferences > Analyzer > Database Settings), Analyzer automatically attempts to create the database. However, if you have any issues accessing the MySQL database after doing this, you might need to create the database manually first. When doing this, test access to the database with the user credentials that Analyzer will use.

Extended and Double-Byte Characters: The MySQL database uses the default character set from the operating system for encoding table fields. If an extended or double-byte character is not recognized by the default character set, Analyzer displays ??? in the Data Browser. To avoid this, set the operating system’s default character set to UTF-8, or to a character set that includes all the extended or double-byte characters that Analyzer might import.

3.6 SAP User Driver Requires Additional Files

To use the SAP user driver, you must install the sapjco.jar library in Analyzer, and install the librfc32.dll and sapjcorfc.dll into the Windows %systemroot% folder (typically C:\windows\system32).

Restart Analyzer after installing these files.

3.7 DB2 Driver Requires Additional Libraries

The Analyzer DB2 driver requires the following two libraries to function properly. You can download these libraries from IBM*.

  • db2java.zip

  • db2jcc.jar

3.8 Warning About Modifying Data

Analyzer does not prevent users from modifying anything in a data set. If a user with appropriate rights to the source application modifies a value, for example a GUID or DN, Analyzer does not attempt to determine if the modification will cause a problem when written out to the source application.

Users should be careful when modifying data and sending those modifications to the source application to avoid causing unintended problems in the source application.

3.9 Errors When Sending Updated Data to an Application

When attempting to push updated data to the source application from Analyzer’s Data Browser (by clicking Save to Application), you might get an error indicating there was a problem with the update operation. However, the Data Browser’s modified data indicators in the data table change to indicate that the updates were successful.

If this occurs, the data updates might have been unsuccessful. Re-import the data from the source application to make sure you know the true state of the data before making any other data modifications.

Problems with the update operation primarily occur when adding a value to a multi-valued attribute.

3.10 IDS Trace Level

The IDS Trace view consumes significant resources. You should only open the IDS Trace view when you need that information.

Additionally, the IDS Trace level is set to 3 by default in order to track connection problems and errors. This trace level can cause performance issues with data browsing. You can modify this setting by clicking the Preferences button in the IDS Trace view.

3.11 Importing Does Not Return Data from the Application

The following issues can prevent Analyzer from displaying data set content in the Data Browser view:

3.11.1 SQL Reserved Word Used as Column Name

Analyzer 1.0 does not support SQL reserved words as column names for data sets (For example, group or select.) If a column name is an SQL reserved word, no data displays in the Data Browser view. To avoid this, exclude the column (attribute) with a reserved-word name from the data set.

3.11.2 Subscriber Is Disabled for the Selected Connection

By default, Analyzer’s Subscriber channel is enabled so that you can perform data set queries. However, if a Connection Profile was synchronized from Designer with the Subscriber channel disabled, it remains disabled for Analyzer. If your data sets do not have any data, confirm that the connection profile’s Subscriber channel is enabled in Analyzer.

To do this, right-click the desired connection profile, then select Properties. In the connection profile properties, select IDS Configuration > Parameters > Subscriber Options. Make sure that Disable subscriber is set to No (default).

3.12 Back Button Does Not Work in the Configuration Wizard

The Back button in the Configuration Wizard dialog boxes is not functional. If you need to make a change to the connection profile on which you are working, either cancel the wizard and start over, or finish configuring the connection profile and make the change in connection properties.

3.13 Analysis Does Not Consider Class Name

Analyzer performs its data analysis solely based on attribute name, and does not take into account the class name. Therefore, if you map attributes from different classes to the same application attribute, the Analysis tests only the first mapped attribute it encounters. For example, in the following schema map, Analyzer tests only the name attribute mapped to the Group class, and ignores the mapping in the User class.

Class = Group
  |___ Attribute = gname ---> name
Class = User
  |___ Attribute = uname ---> name

This issue might also exist with the preconfigured schema maps that Analyzer includes with its drivers. The mappings might be correct to the right attribute name, but not the correct class name.

This issue will be resolved in an upcoming milestone.

3.14 Deleting Multiple Projects Generates Exception Errors

If you delete multiple Analyzer projects simultaneously, the error log might record several exception messages. These messages are benign and do not indicate any problem with Analyzer or with the delete operation.

3.15 Some Characters Cause Problems with Pattern Frequency Analysis

The Pattern Frequency analysis metric does not work properly with data that includes the following characters. If you attempt to do a pattern frequency analysis on a data set that has values that contain any of these characters, the analysis fails and returns an empty result.

Character

Description

+

Plus (addition) symbol

*

Asterisk

.

Period

Apostrophe

?

Question mark

|

Pipe symbol

\

Backslash symbol

( )

Left or right parentheses

[ ]

Left or right bracket

3.16 Apostrophe in a Value Causes Problem with ‘Save to Application’

If you modify a data value in a data set instance so that it includes an apostrophe (‘), Analyzer generates a Java* exception error when attempting to save the changes back to the application. This occurs when using either the HSQL database or an external MySQL database for Analyzer.

3.17 Issues When an Attribute Contains Multiple Values

Analyzer has the following issues when working with data sources that contain attributes with multiple values. If a multivalued attribute contains only one value these issues do not apply:

Data Comparison Tests: Attributes that contain multiple values present problems when performing uniqueness and matching tests. When using attributes that contain multiple values for the Matching Key, the test results are not accurate. Use attributes that contain only single values for the Matching Key.

Data Browser Display Range: Attributes that contain multiple values skew the record count in the Data Browser when using an external MySQL database as the Analyzer database. When setting the display range you will see fewer records than intended.

Import Performance: Attributes that contain multiple values can cause significant performance problems when importing data sets. To avoid this, restrict the number of attributes that contain multiple values in a single data set to 4 or 5.

3.18 Unable to Import Connections from Designer

If connections do not import properly from Designer, the likely problem is that the server configuration associated with the driver set in Designer is incorrect or incomplete. For example, when creating a new driver set in Designer, the default server DN is server.context. If you attempt to import connection information that includes invalid information like this, the import fails.

Before importing connection information from Designer, make sure the server information is valid.

3.19 Errors when Printing Reports

On Linux systems with CUPS printers, the JasperReports* framework is unable to print reports directly from the Report Viewer. However, you can save the report as a PDF file, then print it from a PDF reader.

3.20 Unable to Cancel Large Data Operations

When importing a large data set instance or running an SQL query on a large data set instance, clicking Cancel in the progress dialog box does not work. In this case you can either let the operation complete or shut down and restart Analyzer.

3.21 Error Message When Refreshing the Schema

In the Schema Map editor, if you attempt to refresh the schema at a time when the associated application driver cannot start, Analyzer displays an error message that might be difficult to understand. Start the driver and then re-run the refresh schema operation to avoid this problem.

3.22 Connection Wizard Help Pages

The Connection Wizard uses some dynamic help pages from which Designer is unable to properly reference the Analyzer help pages. Because of this, when you click the Help button you get general Eclipse help rather than dialog-specific help for the Connection Wizard.

The first three pages and the final Summary page in the Connection Wizard are static pages that properly display the Analyzer help. Use the help from these pages to get all the help information for the Connection Wizard.

3.23 Matching Analysis Does Not Exclude Deleted Values

If you have deleted values in the Data Browser that have not been updated to the Application, the deleted values are still considered when running a Matching Analysis.

3.24 Application Schema Import Fails

The Identity Vault schema does not support multiple classes with the same name. Some application schema, such as Notes, do support duplicate class names. If you want to import an application schema that includes duplicate class names, you should first consolidate the duplicate class names into a single class that contains the attributes from all duplicate classes.

If you cannot resolve the duplicate classes in the application schema, you can manually resolve the duplicate class names in Analyzer by doing the following:

WARNING:This procedure is not recommended and can cause inconsistencies in the Identity Vault schema. It should only be used if absolutely necessary.

  1. Open the IDS Trace view (Window > Show View > IDS Trace).

  2. In the Project view, right-click the appropriate connection, then select Refresh Schema.

    This captures the application schema in the IDS Trace. If the IDS trace does not capture the entire schema, increase the IDS Trace window size by clicking the Preferences icon, then increasing the Maximum lines to retain setting.

  3. Open the Navigator view (Window > Show View > Navigator).

  4. In the Navigator view, expand the appropriate project, then browse to Model > Analyzer.

  5. Double-click the appropriate schema file (*ShimConfig.xml) to open it in an XML editor.

    If there are multiple shim config files, you can identify the application associated with each file by opening the file and looking at the contents of the <class-name>, <auth-id>, and <auth-context> tags.

  6. In the XML editor, search for the following elements. If they do not exist, add them to the schema right above the closing </shim-config> tag.

    <app-schema-def>
       <schema-def>
    ...
       </schema-def>
    <app-schema-def>
    
  7. In IDS Trace, locate the <NDS> tag, then paste the contents of the <NDS> tag into the <schema-def> tag in the *ShimConfig.xml file.

    Make sure you do not include the <NDS> as part of what you copy and paste into the *ShimConfig.xml.

  8. Search for any duplicate <ClassDef> elements in the schema definition and consolidate all attribute definitions <attr-def> under a single <ClassDef> element.

  9. Save the changes to the schema file (Ctrl+S), then restart Analyzer.

3.25 Outstanding Bugs

A list of all currently open Analyzer bugs is available in Bugzilla by using the following Analyzer Bugzilla query.

4.0 Third-Party License Information

This product includes software developed by IBM Corp. using the Eclipse platform (all rights reserved) and the Apache* Software Foundation. Novell is an Eclipse Foundation Member.

4.1 HSQL License

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group.

5.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell Export Web site for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at the Novell Patent Web site and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell trademarks, see the Novell Online Trademark List.

All third-party trademarks are the property of their respective companies.